Chinese hackers steal 4.5 million patients’ data

Chinese hackers stole 4.5 million patients’ names, Social Security numbers and other personal data from the computers of one of the country’s largest hospital chains, the company said Monday — the biggest reported cyberattack ever on a U.S. health care company.

Community Health Services and its forensic expert, Mandiant, believe the attacker was an “advanced persistent threat” group from China that used highly sophisticated malware and technology, according to a filing with the Securities and Exchange Commission.

Social Security numbers and other personal data are a gold mine to hackers, who can sell them to black market criminals for use in financial fraud. Complete health care records are even more valuable, bringing up to $316 per record, security experts say. The Chinese hackers may have been blocked by encryption from getting medical records during the attack, according to the experts.

Community Health Services is notifying patients and regulatory agencies as required by law, the company said in the filing. It is insured against related losses and “does not at this time expect a material adverse effect on financial results.”

The Chinese group identified in the theft typically targets intellectual property, such as medical device and equipment development data, Community Health said. Whether the hospital chain was targeted for some particular reason or became victim of an opportunistic attack based on the discovery of a vulnerable data system is unclear.

Whatever the case, the incident is a severe blow to the Tennessee-based company, which earlier this month agreed to pay $98.2 million to the federal government to resolve a fraud investigation into its Medicare and Medicaid billing practices.

Security experts were divided on the eventual cost of the breach. In 2012, the state of Utah acknowledged a health data breach affecting 750,000 Medicaid patients; it already has paid $9 million on security upgrades and credit monitoring and could spend as much as $400 million more to repair identity thefts and fraud that resulted from that attack.

In the case of Community Health, however, the breach might not represent a significant fraud risk to the affected consumers, said Al Pascual of Javelin Strategy and Research, a California security firm.

“There has not been any recent indication that Chinese hackers are actively targeting [personally identifiable information] for resale through underground forums,” he said. But he added, “The potential loss of consumer confidence is not as easily quantified.”

“We know that about one-third of affected consumers will avoid doing business with their health care provider after the provider has been breached — meaning that about 1.5 million Community Health patients might be looking for a new physician in the very near future,” Pascual said.

Larry Ponemon, director of the security-oriented Ponemon Institute, said a recent institute study estimated that each record exposure can cost as much as $201 to repair. That doesn’t mean this breach will cost Community Health $900 million, but “it could be a lot of money,” Ponemon said.

Community Health, which has 206 hospitals in 29 states, said it had been working with federal authorities since the attack to eradicate the malware and fix the security problem. The company provided no indication of harm to patients. Nor did it specify when it discovered the breach or give an estimate of the cost.

The biggest previous reported health care cyberattack, according to the Department of Health and Human Services’ Wall of Shame, was the theft of 1.06 million records from the Montana Department of Public Health and Human Services earlier this year.

HHS spokesman Bill Hall said the department’s Office for Civil Rights had not received a breach report concerning Community Health, “so at this time, we are not in a position to comment.”

Cybersecurity experts have been warning for years that the U.S. health care system, which increasingly carries large volumes of patient data in electronic form, has shabby security against hackers.

“A lot of health care entities have not enacted good practices yet,” said Deven McGraw, a partner in the health care practice of Manatt, Phelps & Phillips.

A company with many hospitals in its system could have a weak institution in the chain. “You may have a health care center that has very strong firewalls, but you’d be surprised how many IT systems don’t have that technical control,” said Dennis Seymour, chief security architect for consultancy Ellumen.

Ponemon said numerous past incidents should have been a wake-up call and that even this one “may not move the complacency meter. It’s very expensive to provide security, and it hasn’t been a priority to health care, even though patient data is the crown jewel of privacy.”

“We could all invest like the CIA,”said Russell Branzell, president of the College of Health Information Management Executives. “But nobody could afford it.”

Two weeks ago his organization launched an association of health information security executives, and it already has 110 members. “We know we need to collaborate, share best practices and learn together to assure that security is protected across the country,” Branzell said.

The fact that the hackers were from China could suggest they knew of a black market for the data or that they were probing the hospital on behalf of the Chinese government, which would have an interest in the security of U.S. health care, Ponemon said.

“If you contaminate millions of medical records, you can damage a country,” he said.

CLARIFICATION: A previous version of this alert misidentified Deven McGraw’s title.